Mindfully mobile: Follow basic BYOD hygiene

By Cam Roberson

Mar 13, 2014

Because of their size and concern with security, government agencies sometimes seem to be slow to adopt and slow to adapt. For example, while the bring-your-own-device trend is rapidly gaining ground in private industry, public institutions seem more wary. Recently, the British advised against allowing BYOD in the government workplace, and most U.S. agencies discourage or limit BYOD.

Indeed, evidence from the news cycle tends to be on the side of caution. BYOD exposes sensitive information to greater security risks because it makes data more portable. When employees are bringing their own devices into work, when they're working with privileged information on those devices, the information is just that much closer to someone absconding with it with malicious intent.

Caution, of course, will do little to stem the tide of progress. More employees (especially new hires) are entering the government workplace with the expectation that they can use their own devices for work. As such, agencies need to be prepared for the inevitable future where BYOD is the default standard.

Not all the news is bad, though. Agencies already have technology and policies in place to limit the damage from an unprotected or misplaced device. Here are a few quick measures that can help make BYOD even more feasible for government agencies:

Data encryption. Saying that data should be encrypted seems like a no-brainer, but encryption is often only as good as an individual's security habits. Security issues can be addressed by instituting changes in employee behavior, but a technology solution may be more effective, especially to ensure that data stays encrypted when it's not in use. For instance, data can be forced back into an encrypted state after authentication based on inactivity or some measure of time. Whether an employee has just left a device unattended or if the device has fallen into the wrong hands, any data on that device would be safe once that time window has passed.

Organizational control. The utility of data has a shelf life. As such, employees only need access to sensitive data for a reasonable period of time – for instance, during the duration of a contract or project. After that time, the agency should revoke authentication or deny access to data on a particular device. Establishing automatic check-ins to an agency’s server or network to restrict access to encrypted data adds another layer of control. If the device doesn't pass the check either because the agency has deemed access no longer necessary or has determined it is at risk, authentication should be revoked or access immediately denied.

Failsafes. Plans for worst-case scenarios -- when devices are lost or stolen -- should be put in place. While lost devices are a headache for everyone, having the ability to remotely kill data or shut a device down limits the amount of leaked data.

It's true that agencies may not be ready to fully enable BYOD right now, but it’s coming to the government workplace eventually. Federal, state and local agencies can begin to institute standards and habits to ensure that when BYOD comes in the door, the security of their networks and information doesn’t walk out.